Heads up, WordPress admins! The NextScripts WordPress plugin had a serious cross-site scripting vulnerability that could affect thousands of websites. Since the bug has received the fix, users must ensure updating their sites to the latest plugin version.
NextScripts Plugin Vulnerability
Team Wordfence has shared details about another vulnerable WordPress plugin posing a severe security risk to WordPress sites.
This time, the vulnerability existed in the WordPress plugin NextScripts. It facilitates users in publishing posts from the site to the social media accounts, such as Facebook, Twitter, Instagram, and other apps like Telegram and Line. Given the usefulness of this plugin, it currently boasts over 100,000 active downloads. That also hints that a bug in this plugin could affect thousands of WordPress sites upon exploitation.
Elaborating on their findings in the latest blog post, Wordfence mentioned discovering a cross-site scripting (XSS) flaw in the plugin. Specifically, they noticed a reflected XSS that could allow an adversary to inject malicious codes on the target sites. Also, the attacker could induce malicious redirections from the victim’s site to other web pages.
As described in their post,
“It was possible to execute JavaScript in the browser of a logged-in administrator by tricking them into visiting a self-submitting form that sent a
POSTrequest to their site, for example,hxxps://victimsite.site/wp-admin/admin.php?page=nxssnap-post, with the$_POST[‘page’]parameter set to malicious JavaScript.
The$_GET[‘page’]parameter could be set tonxssnap-post, so that WordPress would route the victim to the correct page, and then the malicious JavaScript in$_POST[‘page’]would be echoed out on that page.
In the worst case, such exploitation could let the attacker inject backdoors into the site or even takeover it.
The vulnerability, CVE-2021-38356, has achieved a medium severity rating with a CVSS score of 6.1.
Patched Version Released
After discovering the bug, the researchers contacted the plugin developers, who promptly responded. However, it took some time for the team to release a fix.
Nonetheless, upon follow-up from Wordfence, the patch arrived with plugin version 4.3.21 on October 4, 2021.
Yet, this isn’t the latest version, as the developers have even addressed some other bugs with the newest release 4.3.23.
Therefore, all users should update to this version at the earliest to receive the fixes.